1

I have several cloud functions (in Python) that require a modulair package auth in which there is a subfolder with credentials (containing mostly json files of Google Service Accounts files or Firebase configurations).

From a security perspective, I have obviously not included these files on the .git by adding the folder in the .gitignore file (auth/credentials).

However, I am now stuck with what to do when deploying the Google Cloud Function (.gcloudignore). If I deploy it with the credentials then I imagine that these keys are exposed on the server? How could I overcome this?

I have heard some speaking of environmental variables, but I am not sure if this is more secure than just deploying it?

What is the Google Way of doing it?

WJA
  • 6,676
  • 16
  • 85
  • 152
  • Store your secrets on another service and use Kolban's answer of Per-function Identity to control access to the other service. This removes the requirement of credentials in your code. If all you need are service account credentials and no other secrets and you are using Google Client libraries, you do not need any other credentials to access Google services. For other types of secrets store them on Cloud Storage, optionally encrypted by KMS and access control with the service account Identity. – John Hanley Oct 28 '19 at 18:03
  • 2
    I wrote an article on these techniques for Cloud Run. Exact same principles apply: https://www.jhanley.com/google-cloud-run-identity/ – John Hanley Oct 28 '19 at 18:04
  • Do you have secret differents of JSON key file? – guillaume blaquiere Oct 29 '19 at 13:11
  • No other secrets different of JSON key files. I want to do the least work but still doing something that is safe. – WJA Oct 29 '19 at 14:55

1 Answers1

1

You have two primary solutions available to you. The first is that the Cloud Function can run with the identity of a custom Service Account. This service account can then be associated with all the roles necessary for your logic to achieve its task. The value of this is that no credentials need be explicitly known to your logic. The environment in which your calls are being made "implicitly" has all that it needs.

See: Per-function identity

The second mechanism which is more in line with what you are currently doing uses the concept of the Compute Metadata Server. This metadata can be configured with the tokens necessary to make on-ward calls. The metadata is configured separately from your Cloud Function logic which merely retrieves the data as needed.

See: Fetching identity and access tokens.

Kolban
  • 13,794
  • 3
  • 38
  • 60